The Dynamics 365 Integration plugin for WordPress is vulnerable to Remote Code Execution and Arbitrary File Read in all versions up to, and including, 1.3.23 via Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
The vulnerability results from lack of validation and sanitization of input data in the render function handling Twig templates. An attacker can inject malicious code into a Twig template, which will be executed on the server side (Server-Side Template Injection, SSTI). This mechanism allows execution of arbitrary PHP or system code in the context of the web server and reading files accessible to the server process.
An authenticated attacker with Contributor level access or higher can execute arbitrary code on the server and read any files, which may lead to complete server takeover, data breach, and violation of application integrity.
The Dynamics 365 Integration plugin should be updated to the version published in changeset 3210927 or later, in accordance with vendor references available in the WordPress repository.
Dynamics 365 Integration plugin for WordPress in all versions up to and including 1.3.23.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H